I agree, you can only do what you can, its the ease of use factor the main issue here, losing the "bloat" and returning to a sensible straightforward familiar system. Classic Shell is a life saver with Windows 8 & 10.
For Windows 10 to truly offload any and all telemetry, you need a private and secure VPN to use for your internet use. You can download 3rd party app after 3rd party app; firewall tool after firewall tool, but unless you're able to actively and properly ghost/conceal your entire online presence, you simply cannot offload all telemetry or prevent all Microsoft telemetry. When I utilize either my employment's private VPN, or my own VPN, the datacenter that provides my DS3 connection cannot even see my server nor any devices. Domains do not resolve, nor do IP addresses. This is NOT the same as making your online presence anonymous, though properly doing the latter can also be quite good (as an example, utilizing onion routing like Tor incorporates). Privacy increases and telemetry decreases the older Windows versions you go. Personally I think Windows 7 is one of the most optimal, despite not using that OS for any of my current devices. And of course there's Linux, and plenty of flavors of it, too.
Bloat is your least problems, and LTSB 2016 isn't that "debloated" as people say, it's more a little bit, but it's still Win10 and it has to be heavily tweaked to approach Win7. It's a labor intensive work, considering custom ISOs are a no-no, it's harder because we have to go through long lists of checks and todo's after a clean installation to get all the hundreds of settings tuned up correctly, and most people don't have the patience for that, thankfully I do. Unfortunately the 2016 LTSB does not have the settings in Win32 Win7 GUI anymore like 2015 did as reported by some people. NOT ALL LTSB are the same in terms of deprecated stuff getting removed or tweaks which bring back Win7 experience ... I found one such case. The 2016 LTSB N (no media player stuff) Anniversary Update 1706 14393.206 does have the UseWin32TrayClockExperience registry key working and the GUI assets are still there and it works 100%. While the 2016 LTSB normal version Anniversary Update 1706.14393.0 does not have Win32TrayClockExperience working, I'm trying to fix this problem by either updating to .206 or doing some unfortunate hacking, because the update KB that brings up to .206 has some stuff in that I don't want, I forgot exactly which KB it was but it was mentioned somewhere and I'll try to find it until next time when I make a thread about this. Same goes for UseWin32BatteryFlyout .... but not tested since I'm not on a laptop. The two projects we should start is to bring back the LTSB 2015 Win32 GUI in most setting dialogs into LTSB 2016 even if some versions of LTSB 2016, while not causing too much changes and hopefully not having to replace a lot of DLLs or too much version change. But if you want to start on making a Win7 like Win10, a LTSB is obviously the best place to start.
It can be done with a lot of tweaking most of which is already covered by using combination of Win10 anti-spy tools,hosts, DNSAPI.DLL hacks, IPtables on router, no need for a VPN technically. About the anti-spy tools, I just smacked 4 or 5 of them one by one, I get lots of errors in event viewer about apps missing files and services not existing or not being able to connect to the internet, who would have thought those kinds of things would be a good thing one day haha. Win7 does have CEIP and Application Experience and you still need to do DNSAPI.DLL hacks along with hosts so Win7 is not 100% clean either. There's quite a few Microsoft Tasks that have to be disabled, the diagnostic stuff, CEIP, and Wininet, it's best to take time and go though all of them, when it says something about collecting something, it's usually a bullseye! Obviously all of this is not for the "always need latest updates" crowd, if you want privacy you need to say goodbye to automatic online updates and only use offline dism installations which is not user friendly but really at the end of the day a monkey could do it.
Then try it yourself, I don't have a spare disk right now, I'm doing heavy mainteance with my other OSs migration between SSDs and just general PC hardware stuff. It could all be just there, they could have just disabled the function that monitored that registry key, or have modified some GUIDs or paths and this key wasn't important so it was ignored, we could bring it back if we figure out how to activate it in a different way. It would take programmers looking at those DLLs I found these get used when the clock is clicked (I have the key applied but doesn't work) ClockFlyoutExperience.dll StartUI.dll twinui.dll CoreUIComponents.dll Windows.UI.dll Windows.UI.xaml.dll Also many references to ShellExperienceHost in registry and .exe \REGISTRY\A\{0afb3abb-a109-7335-2bd1-8e5b15ada3c7}\LocalState\ClockFlyoutCache\20180305 (never seen such a path before, also seems volatile) Anyone with file version 10.0.14393.206 (rs1_release.160912-1937) should apply this Win32Clock and see if it works for them, no matter if you have Pro or Enterprise or else, try it anyway. ----------- It's not well known but DNSAPI.DLL has around 10 URLs which bypass the hosts file, unfortunately there's no other way but to directly edit the DLL to rename those URLs, which breaks the windows file integrity, so you must avoid running sfc /scannow https://forums.mydigitallife.net/threads/the-win8-dnsapi-dll-ms-domains-hosts-file-thing.57804/ Not just Win8, it's all modern OS since Vista, probably even XP even less likely, I wouldn't be surprised. This is not only a Win10 thing.
3rd party software utilities are generally awful ways to try to increase system security. These "tiny" apps gloss over back-end, shady "optimizations," and this is true with countless popular programs, too; some of which are advertised on this very forum. And you're right, a VPN is not the only route one can take. Server admins are always locking down networks manually, or through official server software, with end-point deployments reserved mostly for hardware security and management and device access. That said, I do run a full encrypted VPN on my personal server but that's not because of web-browsing, but because of the various repositories and access to databases I have granted to other individuals in order to ensure a completely secure connection between the server and host. VPNs have always been my preferred method for securely navigating some of the hellish corners of the internet, and the government entity I work for requires use of their secure VPN for any connection to their servers. I've always had superb results with well-configured, secure VPNs in comparison to multiple other avenues including high-end enterprise-grade encrypted networking devices, since having the hardware to support a full VPN allows for various level tunneling protocols to be used based on how little or much security specific connections require, not to mention allowing for multiple modes of end-point authentication from biometrics, PKI/certificates, two-factor verification, cryptography, secure hardware linked authentication, etc. Though clearly the aforementioned is not for someone who's simply looking for increased OS privacy and debloating. For that, there are plenty of free ways to reduce both, but the regular Windows user would be surprised at how effective even a lower-grade secure VPN works to tackle all modes of unwanted probing, and without the use of multiple tools or personal monitoring.
hello, can you elaborate on this part for me as I use ltsb 2015, "the settings in Win32 Win7 GUI anymore like 2015 did as reported by some people"??? thanks!! like are you saying there is some tweak or something you can change in ltsb 2015??
I haven't yet commited time for such deep research yet, it may possibly never happen since it would be quite an effort to try to mod/hack the DLLs in a way it would bring back that functionality but also to work with a newer Win10 version. Just bringing back the Win32 Clock is going to be a challange I suspect, even if it's a very small version change that made the difference. It could be impossible, because I would need that exact update file which installs those updates which bump the Win10 version from x.xxxxx.0 to .206 - if someone isn't making update dumps all the time, these updates could be gone because they get replaced by newer ones, I hope WSUSOffline project was doing all that in the meantime since 2015. Then you can install the base .0 version and put that update over it, and monitor and analyze what changes were made, that way it would be way easier/faster to figure out what makes the Win32 Clock Experience to work, and other such things. First on my list is getting all the Win7 icons to work on Win10 - that's a system DLL mod as well, unfortunately, because for some stupid reason this is all kept in DLLs such as shell32.dll I am also ofcourse still setting up programs/accounts and tweaks on the fresh Win10, some configs/saved stuf from Win7 adaptation, doing a lot of image cloning, backuping, migration etc ... it's something I wish to do really good so it can't be a rush job. As I'm occupied with a ton of other chores, I had big maintenance/home improvement along with several pieces of computer hardware failing, so I had to repair and do all that, so most of the Win10 modding has been delayed for many months, I need a personal break too since I'm exhausted mentally as well. I'll give you a headsup when I open up a thread about that or similar stuff.
I'm using win 10 LTSB on a laptop that I use a mediacenter. MPC-HC with madVR works just fine. You will only run into problems with HDR content. In fact LTSB is so great because its lightweight and doesn't f*ck with your setup every patch Tuesday.
Agree with your post, but I think Enterprise where available offers better options than Pro. Otherwise, I tend to think the same about Enterprise vs Enterprise LTSB like you said about Pro vs Enterprise LTSB. There is also the middle of the road approach, in the sens of using full Enterprise with the tweaks mentioned and few more in the Group Policies specific only to Enterprise, but using only the versions where there is an LTSB and a server release. The next upgrade would be done when the next LTSB/LTSC is released. What I mean by this is to use a full Enterprise 1607 without upgrading until 1809 LTSC is released and so on. This would emulate to a certain degree the well known upgrade cycle from Windows 7, Windows 8.1 and any other previous version, although a little bit shorter. It would also avoid losing settings and re-tweaking following too frequent feature upgrades.